<!doctype html><html lang="en"><head>
    <meta charset="utf-8">
    <title>Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign</title>
    <link rel="shortcut icon" href="https://www.uptycs.com/hubfs/uptycs_mark_1C_purple_rgb.png">
    <meta name="description" content="Delve into the details of APT-36's new Linux malware campaign aimed at India, its impact on government organizations, and steps for prevention.">
    
    
    <script src="/hs/hsstatic/jquery-libs/static-1.4/jquery/jquery-1.11.2.js"></script>
<script src="/hs/hsstatic/jquery-libs/static-1.4/jquery-migrate/jquery-migrate-1.2.1.js"></script>
<script>hsjQuery = window['jQuery'];</script>
    <meta property="og:description" content="Delve into the details of APT-36's new Linux malware campaign aimed at India, its impact on government organizations, and steps for prevention.">
    <meta property="og:title" content="Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign">
    <meta name="twitter:description" content="Delve into the details of APT-36's new Linux malware campaign aimed at India, its impact on government organizations, and steps for prevention.">
    <meta name="twitter:title" content="Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/template_assets/51822599820/1670367670899/uptycs-srw/css/styles.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/1664381106938/module_51822599800_u4m-header.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51823447372/1664381078873/module_51823447372_u4m-blog-post-cards.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51822599816/1670607565739/module_51822599816_u4m-subscribe.min.css">
<link rel="stylesheet" href="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51823447380/1674049581884/module_51823447380_u4m-footer.min.css">
    <script type="application/ld+json">
{
  "mainEntityOfPage" : {
    "@type" : "WebPage",
    "@id" : "https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware"
  },
  "author" : {
    "name" : "Tejaswini Sandapolla",
    "url" : "https://www.uptycs.com/blog/author/tejaswini-sandapolla",
    "@type" : "Person"
  },
  "headline" : "Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign",
  "datePublished" : "2023-04-17T21:30:00.000Z",
  "dateModified" : "2023-04-17T21:30:00.396Z",
  "publisher" : {
    "name" : "Uptycs",
    "logo" : {
      "url" : "https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png",
      "@type" : "ImageObject"
    },
    "@type" : "Organization"
  },
  "@context" : "https://schema.org",
  "@type" : "BlogPosting",
  "image" : [ "https://2617658.fs1.hubspotusercontent-na1.net/hubfs/2617658/APT-36_FI_Blog_600x325.jpg" ]
}
</script>


    
<!--  Added by GoogleAnalytics integration -->
<script>
var _hsp = window._hsp = window._hsp || [];
_hsp.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed || (consent.categories && consent.categories.analytics)) {
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create','UA-117543321-1','auto');
  ga('send','pageview');
}}]);
</script>

<!-- /Added by GoogleAnalytics integration -->

<!--  Added by GoogleAnalytics4 integration -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

if (!window._hsGoogleConsentRunOnce) {
  window._hsGoogleConsentRunOnce = true;

  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied'
  });

  var _hsp = window._hsp = window._hsp || [];

  _hsp.push(['addPrivacyConsentListener', function(consent){
    var hasAnalyticsConsent = consent && (consent.allowed || (consent.categories && consent.categories.analytics));
    var hasAdsConsent = consent && (consent.allowed || (consent.categories && consent.categories.advertisement));

    gtag('consent', 'update', {
      'ad_storage': hasAdsConsent ? 'granted' : 'denied',
      'analytics_storage': hasAnalyticsConsent ? 'granted' : 'denied'
    });
  }]);
}

gtag('js', new Date());
gtag('set', 'developer_id.dZTQ1Zm', true);
gtag('config', 'G-FM1R8N7KP8');
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-FM1R8N7KP8"></script>
<!-- /Added by GoogleAnalytics4 integration -->

<!--  Added by GoogleTagManager integration -->
<script>
var _hsp = window._hsp = window._hsp || [];

var hsLoadGtm = function loadGtm() {
    if(window._hsGtmLoadOnce) {
      return;
    }

    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
    new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
    j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
    })(window,document,'script','dataLayer','GTM-P663XDQ');

    window._hsGtmLoadOnce = true;
};

var useGoogleConsentMode = false;

if (!useGoogleConsentMode){
    _hsp.push(['addPrivacyConsentListener', function(consent){
      if(consent.allowed || (consent.categories && consent.categories.analytics)){
        hsLoadGtm();
      }
  }]);
} else{
    if(!window._hsGoogleConsentRunOnce){
      window._hsGoogleConsentRunOnce=true;

      window.dataLayer=window.dataLayer||[];
      function gtag(){dataLayer.push(arguments);}

      gtag('consent','default',{
        'ad_storage':'denied',
        'analytics_storage':'denied'
      });

      gtag('set','developer_id.dZTQ1Zm',true);

      _hsp.push(['addPrivacyConsentListener',function(consent){
      var hasAnalyticsConsent=consent&&(consent.allowed||(consent.categories&&consent.categories.analytics));
      var hasAdsConsent=consent&&(consent.allowed||(consent.categories&&consent.categories.advertisement));

      gtag('consent','update',{
        'ad_storage':hasAdsConsent?'granted':'denied',
        'analytics_storage':hasAnalyticsConsent?'granted':'denied'
      });
    }]);
  }

  hsLoadGtm();
}
</script>

<!-- /Added by GoogleTagManager integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-P663XDQ');</script>

<!-- End Google Tag Manager -->

<link rel="amphtml" href="https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware?hs_amp=true">

<meta property="og:image" content="https://www.uptycs.com/hubfs/APT-36_FI_Blog_600x325.jpg#keepProtocol">
<meta property="og:image:width" content="600">
<meta property="og:image:height" content="325">
<meta property="og:image:alt" content="Transparent Tribe is targeting Indian government organizations">
<meta name="twitter:image" content="https://www.uptycs.com/hubfs/APT-36_FI_Blog_600x325.jpg#keepProtocol">
<meta name="twitter:image:alt" content="Transparent Tribe is targeting Indian government organizations">

<meta property="og:url" content="https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware">
<meta name="twitter:card" content="summary_large_image">

<link rel="canonical" href="https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware">
<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5abce1b92ae0c302"></script>
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://www.uptycs.com/blog/rss.xml">
<meta name="twitter:domain" content="www.uptycs.com">
<meta name="twitter:site" content="@uptycs">

<meta http-equiv="content-language" content="en">






    
<meta name="generator" content="HubSpot"></head>
<body class="  hs-content-id-111418023737 hs-blog-post hs-blog-id-5593128451 ">
<!--  Added by GoogleTagManager integration -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-P663XDQ" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<!-- /Added by GoogleTagManager integration -->

    
    
        <div id="hs_cos_wrapper_u4m-header" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">

<header class="u4m-header">
  <a class="skip-to-content-link" href="#main-content">Skip to content</a>
  <div class="ie11-banner"><div class="ie11-banner-inner"></div></div>
  <div class="inner">
    <div class="logo">
      <a href="/">
        <img loading="lazy" src="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=360&amp;name=uptycs_logo_2C_on-light_rgb.png" width="360" alt="uptycs_logo_2C_on-light_rgb" srcset="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=180&amp;name=uptycs_logo_2C_on-light_rgb.png 180w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=360&amp;name=uptycs_logo_2C_on-light_rgb.png 360w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=540&amp;name=uptycs_logo_2C_on-light_rgb.png 540w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=720&amp;name=uptycs_logo_2C_on-light_rgb.png 720w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=900&amp;name=uptycs_logo_2C_on-light_rgb.png 900w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=1080&amp;name=uptycs_logo_2C_on-light_rgb.png 1080w" sizes="(max-width: 360px) 100vw, 360px">
      </a>
    </div>
    <div class="menu"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="51884278609" aria-label="Navigation Menu">
 <ul role="menu" class="active-branch">
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Products</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">Platform</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">Unified CNAPP and XDR</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions#telemetry" role="menuitem">The Power of Structured Telemetry</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/why-choose-uptycs" role="menuitem">Why Choose Uptycs?</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Attack Surfaces</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/endpoint-security-service" role="menuitem">Endpoints &amp; Server Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/container-security-solutions" role="menuitem">Containers &amp; Kubernetes</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/cloud-security-services" role="menuitem">Cloud Security</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Open Source</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-cloud-security-solutions" role="menuitem">Cloudquery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/kubernetes-security-tools" role="menuitem">Kubequery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-security-tools" role="menuitem">Osquery</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Solutions</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Category</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/security-and-monitoring-for-cloud-workloads" role="menuitem">Cloud Workload Protection Platform (CWPP)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cloud-security-posture-management" role="menuitem">Cloud Security Posture Management (CSPM)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/endpoint-detection-and-response" role="menuitem">eXtended Detection and Response (XDR)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-asset-inventory" role="menuitem">Insight &amp; Inventory</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-security-compliance" role="menuitem">Audit, Compliance &amp; Governance</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Audit &amp; Compliance Frameworks</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/fedramp-compliance" role="menuitem">FedRAMP</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/soc-type-2-compliance" role="menuitem">SOC-2</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cis-compliance" role="menuitem">CIS</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/pci-compliance" role="menuitem">PCI</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children active-branch" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Resources</span></a>
   <ul role="menu" class="hs-menu-children-wrapper active-branch">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/resources" role="menuitem">Resources by Topic</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#all" role="menuitem">All Resources</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#cloud-security" role="menuitem">Cloud Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#containers-and-kubernetes" role="menuitem">Containers &amp; Kubernetes</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#endpoint-security" role="menuitem">Endpoint Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#threat-research" role="menuitem">Threat Research</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children active-branch" role="none"><a href="javascript:;" role="menuitem">Additional Resources</a>
     <ul role="menu" class="hs-menu-children-wrapper active-branch">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/demo-tour-pillar-page" role="menuitem"><strong><font color="#8E24AA">Self-Guided Tours</font></strong></a></li>
      <li class="hs-menu-item hs-menu-depth-3 active active-branch" role="none"><a href="https://www.uptycs.com/blog" role="menuitem">Blog</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/upcoming-events" role="menuitem">Events</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/free-osquery-training-intro-to-osquery" role="menuitem">Osquery Tutorial</a></li>
      <li class="hs-menu-item hs-menu-depth-3 hs-item-has-children" role="none"><a href="https://www.uptycs.com/tools-and-integrations" role="menuitem">Tools and Integrations</a>
       <ul role="menu" class="hs-menu-children-wrapper">
        <li class="hs-menu-item hs-menu-depth-4" role="none"><a href="https://www.uptycs.com/uptycs-partner-program" role="menuitem">Partner Program</a></li>
       </ul></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/uptycs-live-monthly-webinar-series" role="menuitem">Uptycs Live Series</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Company</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/about-us" role="menuitem">About Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/leadership" role="menuitem">Leadership</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/careers" role="menuitem">Careers</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/press-coverage" role="menuitem">Press &amp; News</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/contact-us" role="menuitem">Contact Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/security" role="menuitem">Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/privacy" role="menuitem">Privacy</a></li>
   </ul></li>
 </ul>
</div></span></div>
    <div class="search-toggle"><i class="fas fa-search search-toggle-button" aria-hidden="true"></i></div>
    <div class="cta"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"></span> <span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"><!--HubSpot Call-to-Action Code --><span class="hs-cta-wrapper" id="hs-cta-wrapper-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><span class="hs-cta-node hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6" id="hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><!--[if lte IE 8]><div id="hs-cta-ie-element"></div><![endif]--><a href="https://cta-redirect.hubspot.com/cta/redirect/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6"><img class="hs-cta-img" id="hs-cta-img-4064fb31-4428-48ee-81ea-f67fbaf14ee6" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6.png" alt="Request Your Demo"></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(2617658, '4064fb31-4428-48ee-81ea-f67fbaf14ee6', {"useNewLoader":"true","region":"na1"}); </script></span><!-- end HubSpot Call-to-Action Code --></span></div>
    <button class="hamburger-toggle x2"><span class="lines"></span></button>
    <div class="offscreen-menu">
      <div class="content">
        <div class="mobile-search">
            <div class="hs-search-field"> 
              <div class="hs-search-field__bar"> 
                <form action="/hs-search-results">
                  <input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
                  
                  <input type="hidden" name="type" value="SITE_PAGE">
                  <input type="hidden" name="type" value="LANDING_PAGE">
                  <input type="hidden" name="type" value="BLOG_POST">
                  <input type="hidden" name="type" value="LISTING_PAGE">
                  <input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">     

                  
                      

                  
                  

                  
                  <button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>
                </form>
              </div>
              <ul class="hs-search-field__suggestions"></ul>
            </div>
        </div>   
              
        <div class="mobile-menu"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-header_" class="hs-menu-wrapper active-branch no-flyouts hs-menu-flow-vertical" role="navigation" data-sitemap-name="default" data-menu-id="51884278609" aria-label="Navigation Menu">
 <ul role="menu" class="active-branch">
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Products</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">Platform</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions" role="menuitem">Unified CNAPP and XDR</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/cloud-security-solutions#telemetry" role="menuitem">The Power of Structured Telemetry</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/why-choose-uptycs" role="menuitem">Why Choose Uptycs?</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Attack Surfaces</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/endpoint-security-service" role="menuitem">Endpoints &amp; Server Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/container-security-solutions" role="menuitem">Containers &amp; Kubernetes</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/cloud-security-services" role="menuitem">Cloud Security</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Open Source</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-cloud-security-solutions" role="menuitem">Cloudquery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/kubernetes-security-tools" role="menuitem">Kubequery</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/product/open-source-security-tools" role="menuitem">Osquery</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Solutions</span></a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Category</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/security-and-monitoring-for-cloud-workloads" role="menuitem">Cloud Workload Protection Platform (CWPP)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cloud-security-posture-management" role="menuitem">Cloud Security Posture Management (CSPM)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/endpoint-detection-and-response" role="menuitem">eXtended Detection and Response (XDR)</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-asset-inventory" role="menuitem">Insight &amp; Inventory</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/it-security-compliance" role="menuitem">Audit, Compliance &amp; Governance</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="javascript:;" role="menuitem">Audit &amp; Compliance Frameworks</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/fedramp-compliance" role="menuitem">FedRAMP</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/soc-type-2-compliance" role="menuitem">SOC-2</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/cis-compliance" role="menuitem">CIS</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/solutions/pci-compliance" role="menuitem">PCI</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children active-branch" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem"><span class="mega">Resources</span></a>
   <ul role="menu" class="hs-menu-children-wrapper active-branch">
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children" role="none"><a href="https://www.uptycs.com/resources" role="menuitem">Resources by Topic</a>
     <ul role="menu" class="hs-menu-children-wrapper">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#all" role="menuitem">All Resources</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#cloud-security" role="menuitem">Cloud Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#containers-and-kubernetes" role="menuitem">Containers &amp; Kubernetes</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#endpoint-security" role="menuitem">Endpoint Security</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/resources#threat-research" role="menuitem">Threat Research</a></li>
     </ul></li>
    <li class="hs-menu-item hs-menu-depth-2 hs-item-has-children active-branch" role="none"><a href="javascript:;" role="menuitem">Additional Resources</a>
     <ul role="menu" class="hs-menu-children-wrapper active-branch">
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/demo-tour-pillar-page" role="menuitem"><strong><font color="#8E24AA">Self-Guided Tours</font></strong></a></li>
      <li class="hs-menu-item hs-menu-depth-3 active active-branch" role="none"><a href="https://www.uptycs.com/blog" role="menuitem">Blog</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/upcoming-events" role="menuitem">Events</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/free-osquery-training-intro-to-osquery" role="menuitem">Osquery Tutorial</a></li>
      <li class="hs-menu-item hs-menu-depth-3 hs-item-has-children" role="none"><a href="https://www.uptycs.com/tools-and-integrations" role="menuitem">Tools and Integrations</a></li>
      <li class="hs-menu-item hs-menu-depth-3" role="none"><a href="https://www.uptycs.com/uptycs-live-monthly-webinar-series" role="menuitem">Uptycs Live Series</a></li>
     </ul></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Company</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/about-us" role="menuitem">About Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/leadership" role="menuitem">Leadership</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/careers" role="menuitem">Careers</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/press-coverage" role="menuitem">Press &amp; News</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/contact-us" role="menuitem">Contact Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/security" role="menuitem">Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/privacy" role="menuitem">Privacy</a></li>
   </ul></li>
 </ul>
</div></span></div>
        <div class="mobile-cta"><span id="hs_cos_wrapper_u4m-header_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_cta" style="" data-hs-cos-general-type="widget" data-hs-cos-type="cta"><!--HubSpot Call-to-Action Code --><span class="hs-cta-wrapper" id="hs-cta-wrapper-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><span class="hs-cta-node hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6" id="hs-cta-4064fb31-4428-48ee-81ea-f67fbaf14ee6"><!--[if lte IE 8]><div id="hs-cta-ie-element"></div><![endif]--><a href="https://cta-redirect.hubspot.com/cta/redirect/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6"><img class="hs-cta-img" id="hs-cta-img-4064fb31-4428-48ee-81ea-f67fbaf14ee6" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/2617658/4064fb31-4428-48ee-81ea-f67fbaf14ee6.png" alt="Request Your Demo"></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(2617658, '4064fb31-4428-48ee-81ea-f67fbaf14ee6', {"useNewLoader":"true","region":"na1"}); </script></span><!-- end HubSpot Call-to-Action Code --></span></div>
      </div>
    </div>  
  </div>
  <div class="search-overlay">
    <div class="hs-search-field"> 
      <div class="hs-search-field__bar"> 
        <form action="/hs-search-results">
          <input type="text" class="hs-search-field__input search-input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
          
          
          <input type="hidden" name="type" value="SITE_PAGE">
          <input type="hidden" name="type" value="LANDING_PAGE">
          <input type="hidden" name="type" value="BLOG_POST">
          <input type="hidden" name="type" value="LISTING_PAGE">
          <input type="hidden" name="type" value="KNOWLEDGE_ARTICLE">     
          
          
              
          
          
          
          
          <button aria-label="Search" class="search-button"><i class="fas fa-search" aria-hidden="true"></i></button>          
          <span class="search-overlay-close" aria-label="Close"><i class="fas fa-times" aria-hidden="true"></i></span>
        </form>
      </div>
      <ul class="hs-search-field__suggestions"></ul>
    </div>
  </div>

      
</header></div>
    

    
<main id="main-content" class="body-container-wrapper">

  
  <section class="u4m-blog-post">
    <!-- Blog Post Hero -->
    <div class="hero">
      <div class="share" id="share">
        <a href="https://twitter.com/intent/tweet?original_referer=https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware&amp;url=https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware&amp;source=tweetbutton" target="_blank" aria-label="Twitter"><span class="fab fa-twitter" aria-hidden="true"></span></a>
        <a href="http://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware" target="_blank" aria-label="LinkedIn"><span class="fab fa-linkedin" aria-hidden="true"></span></a>
        <a href="http://www.facebook.com/share.php?u=https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware" target="_blank" aria-label="Facebook"><span class="fab fa-facebook" aria-hidden="true"></span></a>
        <a href="mailto:?subject=Check%20out%20https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware" aria-label="email"><span class="fa fa-envelope" aria-hidden="true"></span></a>
      </div>
      <div class="content">
        <span class="date">April 17, 2023</span>
        <h1 class="title"><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign</span></h1>
        <div class="author-wrap">
          <div class="avatar lazy" data-bg="https://2617658.fs1.hubspotusercontent-na1.net/hub/2617658/hubfs/Tejaswini%20Head%20Shot.jfif?length=100&amp;name=Tejaswini%20Head%20Shot.jfif"></div>
          <div class="author-link">Written by: <a href="https://www.uptycs.com/blog/author/tejaswini-sandapolla">Tejaswini Sandapolla</a></div>        
        </div>
      </div>
    </div>
    <!-- End Blog Post Hero -->
  
    <!-- Blog Post Body -->
    <div class="body" id="body">
      <div class="content"><span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>The Uptycs threat research team has discovered a new Linux malware, Poseidon, deployed by the APT-36 group, also known as Transparent Tribe. This Pakistan-based advanced persistent threat group is notorious for targeting Indian government organizations, military personnel, and defense contractors.</p>
<!--more-->
<p>Transparent Tribe used the Kavach authentication tool as a cover to deliver the Poseidon payload. Kavach is a two-factor authentication (2FA) solution provided by the Indian government for secure access to their email services. Transparent Tribe created a backdoored version of Kavach to target Linux users working for Indian government agencies. When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them. Meanwhile, the payload is downloaded in the background, compromising the user's system.</p>
<p>Poseidon is a second-stage payload malware associated with Transparent Tribe. It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways. Primarily, Poseidon is distributed through malicious websites disguised as legitimate Indian government sites.</p>
<p>Uptycs research found that the malware infrastructure, such as malicious domains, is linked to earlier APT-36 campaigns. This highlights the group's continued focus on the aforementioned Indian targets. Repercussions of this APT-36 attack could be significant, leading to loss of sensitive information, compromised systems, financial losses, and reputational damage.</p>
<p>Moreover, as the Transparent Tribe is thought to be state-sponsored, its activities could escalate tensions between nations, potentially resulting in retaliatory cyberattacks. This highlights the importance of implementing robust cybersecurity measures and remaining vigilant against the ever-evolving threat landscape.</p>
<p>&nbsp;</p>
<h2>FAQs</h2>
<h3><strong>Q: What is APT-36 and who are its main targets?</strong></h3>
<p>APT-36, aka Transparent Tribe, primarily targets Indian government organizations, military personnel, and defense contractors. Its objective is usually to gather sensitive information, conduct cyber espionage, and compromise the security of its targets.</p>
<h3><strong>Q: What are some previous APT-36 campaign examples?</strong></h3>
<p>APT-36 is known to have exploited various platforms, including Windows and Android. The bad actors often create fake websites and documents that mimic legitimate government entities or organizations. This can trick targeted users into revealing their credentials or downloading malware onto their systems. It has also used custom-developed malware such as the Crimson RAT (remote access trojan) for cyber espionage.</p>
<h3><strong>Q: How can organizations know if they are infected with Poseidon?</strong></h3>
<p>Organizations can determine if they are infected with Poseidon by looking for specific indicators of compromise (IOCs) associated with the malware campaign. Uptycs threat research team has provided <a href="#IOC" rel="noopener" style="text-decoration: none;">a list of IOCs<span style="text-decoration: underline;"></span></a> related to Poseidon.</p>
<h3><strong>Q: How can users protect themselves from attacks by Transparent Tribe and other threat actors?</strong></h3>
<p>Users can protect themselves by following these best practices:</p>
<ul style="font-size: 16px;">
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">Be cautious of unsolicited emails; verify the sender's authenticity before clicking on any links or opening attachments.</span></li>
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">Regularly update software and operating systems with the latest patches and security updates.</span></li>
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">Employ strong, unique passwords; enable two-factor authentication where possible.</span></li>
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">Use reputable antivirus software and keep it up to date.</span></li>
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">Be vigilant when visiting websites; double-check the validity of URLs (e.g., spelling) before downloading files or entering sensitive information.</span></li>
</ul>
<h3><strong>Q: How does Uptycs XDR detect and protect against&nbsp; Poseidon malware?</strong></h3>
<p>Uptycs XDR (extended detection and response) protects against the Poseidon malware used in this APT-36 campaign. Uptycs uses advanced capabilities, including built-in <a href="/blog/resource-smart-yara-scans-saving-cpu-and-time-with-osquery" rel="noopener" target="_blank">YARA rules</a> and contextual detections, to identify and analyze malware threats. By leveraging Uptycs XDR, your organization can effectively safeguard your systems and data from APT-36 and other advanced threats.</p>
<p>&nbsp;</p>
<h2>Technical Analysis</h2>
<p>The Uptycs threat research team has uncovered an ELF malware sample (MD5: c82bf2c50900b89b66e9f62d68c415ab). It’s a compiled Python executable (Pyinstaller) of nearly 5 MB in size.</p>
<p>Upon extraction, a possible entry point is at Kavach.pyc (Fig. 1). Next we’ll decompile it to produce its source code.</p>
<p style="text-align: center;"><span style="font-size: 10px;"><img src="https://lh5.googleusercontent.com/oyaG7574lx8eZkyxshaBE_geqdIeznk98WJ-rdhZgB713nxd4_gAObtj-IsrBqZkQuD65ALETUjxlmhbG43Y_BdH5ahSMPNXyCEHroW6PxvGbI4e41CeQG-DtaMAnB-VEuoBdxuJdMzKbQ1GCX_VsDQ" width="889" height="152" loading="lazy" style="width: 889px; height: auto; max-width: 100%;" alt="Screenshot of the .pyc file extraction from a pyinstaller executable"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 1 – Extraction of .pyc files from pyinstaller executable</em></p>
<p>&nbsp;</p>
<p>Seen in the Fig. 2 Python code, the ELF file distracts the user by opening the legitimate<strong> </strong>Kavach login page<strong> </strong>(Fig. 3). This is where 2FA is provided to Indian users wanting to access their government email service. But in the background, a malicious “bosshelp” file is downloaded from hxxps://sharing1[.]filesharetalk.com/bosshelp to the user’s ~/.local/share directory.</p>
<p><span style="font-size: 10px;"><img src="https://lh6.googleusercontent.com/bXHA12RifyrntTmHZUT1c2u5pVMjFGcNrpZI5KSqAS8i19BNIl6UIi_YpSv5VzYEAAYnWCnQPAi90a_zPenomif7BTBVbFXUpAdJOmoPsIsELmFdyIlc9Z5VRyxy3Ovz2lbl5SK4JB4EqBRTbAQ4M90" width="822" height="228" loading="lazy" style="width: 822px; height: auto; max-width: 100%;" alt="A malicious &quot;bosshelp&quot; file download that runs in the background during the 2FA login"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 2 – Decompiled Python code</em></p>
<p>&nbsp;</p>
<p>This creates a crontab to periodically log the victim's machine “loginname” in<em> </em>/dev/shm/mycron<em>.</em></p>
<p><span style="font-size: 10px;"><img src="https://lh4.googleusercontent.com/W5G1jmGOC-Hy269wQheDtuhfnM8CUkGzAcKmCCxzoQqVMiz_59wM2pubvDvzysaO5zk4U4n7zNJqF8b_2bJAf3-pwI13jlxtFUutuvxAQtorGlhpnfYDQp63ucRexR5gpmZHzeiDeE2eB7UCJMrqURU" width="906" height="368" loading="lazy" style="width: 906px; height: auto; max-width: 100%;" alt="This Kavach login page appears legitimate to trick users"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 3 – Legitimate Kavach login page to trick users</em></p>
<p>&nbsp;</p>
<p>Let's now examine the “bosshelp” second stage payload.</p>
<p>&nbsp;</p>
<h2>Payload 2</h2>
<p>This payload (MD5: aeb3ad3426794d4e90de4d139e92ee4d) is a Golang ELF binary; GO version 1.17.8 is an unsigned <a href="https://github.com/MythicAgents/poseidon" rel="noopener" target="_blank"><span>Poseidon</span></a> payload in MythicAgents. Upon execution, it initiates the following check-in connection with C2:</p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">“Checkin” <em>keyword</em></span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">Process name</span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">OS</span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">PID</span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">IP Address</span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">Hostname</span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">UUID</span></p>
<p style="padding-left: 40px;"><span style="font-family: 'Courier New', Courier, monospace;">“Amd64aring” <em>keyword</em></span></p>
<p style="padding-left: 40px;">(The integrity level is 3 if the process is elevated; otherwise it’s level 2.)</p>
<p>&nbsp;</p>
<p><span style="font-size: 10px;"><img src="https://lh4.googleusercontent.com/CGJyohjktNHgpLrsDyoxYthR4TFZjjiso5JNKf6IoSBdIfLPkwDVBWK6PT5cFz8Scfk3As3b3IidNBjhQ05b7UXHoITDr51VDP7rqOssnCiSGEBJnHvZbSyF3LN4Be6sMT8jfuWQEGR2lpTpSAiC7iA" width="998" height="318" loading="lazy" style="width: 998px; height: auto; max-width: 100%;" alt="Screenshot of C2 check-in"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 4 – C2 check-in</em></p>
<p>&nbsp;</p>
<ol style="font-size: 16px;">
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">The check-in data is encrypted by the RSA key pair generated by theGenerateRSAKeyPair() function.</span></li>
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">Then a 3b54bd24-92a5-4b91-ad15-de771a497372 UUID (assigned by Mythic during creation) is appended.</span></li>
<li style="color: #000000;" aria-level="1"><span style="color: #000000;">The data is now sent to the Mythic C2 server at 70[.]34[.]214[.]252.</span></li>
</ol>
<p>The C2 was offline during our analysis. But the binary contained a switch case (Fig. 5) having a number of tasks (e.g., keylogging, injecting, screen capture, uploading/downloading files). Each task is associated with a TaskID shown in the following table.</p>
<p><span style="font-size: 10px;"><img src="https://lh5.googleusercontent.com/0ZibdpJroLQ3me8ZlQYpAbD_bOZRiEl36okl7WQbKYNng_lFnXGnm7scJM_WiDivICQrMkLRRWnWzWkKs_5M8vWPoA3Ay9cxSN6Lq_UqjnaoIUc8DsPoUDt5fRpXcyJ6mDZDWy4qZ7OhoyVkBVjrkDE" width="893" height="292" loading="lazy" style="width: 893px; height: auto; max-width: 100%;" alt="Switch case having a number of tasks associated with a TaskID"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 5 – Switch case to perform various tasks</em></p>
<p>&nbsp;</p>
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;">
<tbody>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;"><strong>COMMAND</strong> <strong>CODE (DECIMAL)</strong></p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;"><strong>TASK</strong></p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;"><strong>DESCRIPTION</strong></p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">4</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Shell</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Execute shell commands</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">5</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Screencapture_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Take a screenshot of victim’s desktop</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">6</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Keylog_Run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Logging keystrokes</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">7</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Download</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Download file from remote system</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">8</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Upload</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Upload file to remote machine</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">9</p>
</td>
<td style="border: 1pt solid #000000;">
<p>LibInject</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Inject a library</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">10</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Ps_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>List processes running on machine</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">11</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Sleep_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Sleep time</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">12</p>
</td>
<td style="border: 1pt solid #000000;">
<p>cat_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Read contents inside the file</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">13</p>
</td>
<td style="border: 1pt solid #000000;">
<p>cd_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Change directory</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">14</p>
</td>
<td style="border: 1pt solid #000000;">
<p>ls</p>
</td>
<td style="border: 1pt solid #000000;">
<p>List contents inside the directory</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">15</p>
</td>
<td style="border: 1pt solid #000000;">
<p>jxa_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Javascript for automation</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">16</p>
</td>
<td style="border: 1pt solid #000000;">
<p>keys_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Retrieve keys from Kerberos keychain</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">17</p>
</td>
<td style="border: 1pt solid #000000;">
<p>triagedirectory</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Search target directory</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">18</p>
</td>
<td style="border: 1pt solid #000000;">
<p>sshauth</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Authenticate to host using username <br>and password pair</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">19</p>
</td>
<td style="border: 1pt solid #000000;">
<p>portscan</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Scan target for open ports</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">20</p>
</td>
<td style="border: 1pt solid #000000;">
<p>main.getJoblisting</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Get list of current running jobs</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">21</p>
</td>
<td style="border: 1pt solid #000000;">
<p>main.killJob</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Kill a process with given PID</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">22</p>
</td>
<td style="border: 1pt solid #000000;">
<p>cp_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Copy a file</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">23</p>
</td>
<td style="border: 1pt solid #000000;">
<p>drives_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>List currently mounted drives along <br>with their description</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">24</p>
</td>
<td style="border: 1pt solid #000000;">
<p>getuser_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>List information about current user</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">25</p>
</td>
<td style="border: 1pt solid #000000;">
<p>mkdir</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Create directory.</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">26</p>
</td>
<td style="border: 1pt solid #000000;">
<p>mv</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Move a file</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">27</p>
</td>
<td style="border: 1pt solid #000000;">
<p>pwd</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Print working directory</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">28</p>
</td>
<td style="border: 1pt solid #000000;">
<p>rm</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Delete a file</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">29</p>
</td>
<td style="border: 1pt solid #000000;">
<p>getenv</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Retrieve current environment variables</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">30</p>
</td>
<td style="border: 1pt solid #000000;">
<p>setenv</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Set environment variables</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">31</p>
</td>
<td style="border: 1pt solid #000000;">
<p>unsetenv</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Delete environment variable</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">32</p>
</td>
<td style="border: 1pt solid #000000;">
<p>kill_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Kill process with given PID</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">33</p>
</td>
<td style="border: 1pt solid #000000;">
<p>curl_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Execute curl command</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">34</p>
</td>
<td style="border: 1pt solid #000000;">
<p>xpc_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Cross-process communication</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">35</p>
</td>
<td style="border: 1pt solid #000000;">
<p>socks</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Support for SOCKS proxies</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">36</p>
</td>
<td style="border: 1pt solid #000000;">
<p>listtask_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Get list of running tasks</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">37</p>
</td>
<td style="border: 1pt solid #000000;">
<p>list_entitlements_Run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>List entitlements (permissions associated <br>with a particular PID)</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">38</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Execute_memory</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Execute shellcode directly from the memory</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">39</p>
</td>
<td style="border: 1pt solid #000000;">
<p>jsimport_run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>To load specified javascript module</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;">43</p>
</td>
<td style="border: 1pt solid #000000;">
<p>dyld_inject_Run</p>
</td>
<td style="border: 1pt solid #000000;">
<p>Inject dynamic library</p>
</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<p>This payload serves as an all-purpose backdoor. An attacker can use it to take control of an infected host, record keystrokes, insert new stages, launch screen captures, or remotely monitor computers in a variety of ways using above commands.</p>
<p>&nbsp;</p>
<h2 style="font-size: 36px;">Threat Intelligence</h2>
<p>hxxps://sharing1[.]filesharetalk.com is<strong> </strong>the site from which the bosshelp Poseidon payload is downloaded (not to be confused with the legitimate filesharingtalk[.]com domain). Its passive DNS replication 153.92.220.48 is linked to <a href="https://attack.mitre.org/groups/G0134/"><span>APT 36</span></a>.</p>
<p><span style="font-size: 10px;"><img src="https://lh5.googleusercontent.com/VCJy_wOR7FR-IHJsWbSQ-HAGkD18gAG1IkLOfZAK6cw1aEqtg0Nt3FExHqKMtbJY5YmTC6sHA2wW9zRNDKPLba3OlP09BpevTtG8oRdwwmDnap_5-7PO872lRqOEIQCpysaAZi5hfX5MaikL2YLowEE" width="1076" height="504" loading="lazy" alt="Passive DNS replication of site &quot;sharing1[.]filesharetalk.com&quot;"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 6 – DNS replication of </em>sharing1[.]filesharetalk.com</p>
<p>&nbsp;</p>
<p>The next table shows suspicious domains masquerading as various government sites hosted on the same IP (153.92.220.48). All were used in earlier APT-36 campaigns.</p>
<p>&nbsp;</p>
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;">
<tbody>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px; font-weight: bold;">SUSPICIOUS DOMAINS</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px; font-weight: bold;">LEGIT DOMAINS</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px; font-weight: bold;">OTHER AV DETECTIONS FOR SUSPICIOUS DOMAINS</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">govscholarships[.]in</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">scholarships.gov.in</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">3</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">kavach-app[.]in</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">kavach.mail.gov.in</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">11</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">supremo-portal[.]in</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 16px;">supremo.nic.in</p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center; font-size: 14px;"><span style="font-size: 16px;">6</span></p>
</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<h2>Similar Campaigns</h2>
<p>MD5:382285738bae358060011ad847e845d2 (Name: confirmationId_ksb) masquerades as the Kendriya Sainik board site as seen in Fig.7</p>
<p>Suspicious Site present in the malicious pyinstaller file: www[.]ksboard[.]in<br>Legit site: ksb[.]gov[.]in.<br><br>MD5:02796a813b79928c95b2475798a14688(Name:confirmationId_rodra) masquerades as RODRA (Retired Officers Digital Records Archive) as seen in Fig 8.<br>Suspicious Site present in the malicious pyinstaller file: www[.]rodra[.]in. <br>The legitimate site is rodra[.]gov[.]in.</p>
<p>&nbsp;</p>
<p><span style="font-size: 10px;"><img src="https://lh3.googleusercontent.com/obTyBbXp4ZYd_QzDww922aB_ao1RcE4Gv5oWHzQMwHFB2Nc8AoIN99vgjoMaJpxqWpPSpGJtsgHmpZC5Px7l5Os23mPIyTN8uGdfAwlxZL1bPUr5g8VucfZCBYX0i3JSgmfSkXAKAXlkcJ12TwC7QFQ" width="829" height="609" loading="lazy" style="width: 829px; height: auto; max-width: 100%;" alt="Shows decompiled Python code from malicious pyinstaller confirmationId_ksb"></span></p>
<p style="text-align: center;"><span style="font-size: 14px;"><em>Fig. 7 – Decompiled Python code from malicious pyinstaller </em></span><em><span style="font-size: 10px;"><span style="font-size: 14px;">confirmationId_ksb</span></span></em></p>
<p>&nbsp;</p>
<p><span style="font-size: 10px;"><img src="https://lh5.googleusercontent.com/0fJE8L78pdoJ144Cx7be5SGjDjLIGUatsJNOow9xGnXp2Kqy_XNNpt61p4iMyH6KnH_yzkAiQEZ-2_uASojB_MzvwB0qfSutD_dvnPzqPTVnROg-FBKqID7qFD0yK1E-JL5WFiiFsDgFa5PDjOHiryg" width="856" height="282" loading="lazy" style="width: 856px; height: auto; max-width: 100%;" alt="Screenshot of decompiled Python code from malicious pyinstaller confirmationId_rodra"></span></p>
<p style="text-align: center; font-size: 14px;"><em>Fig. 8 – Decompiled Python code from malicious pyinstaller</em><em> confirmationId_rodra</em></p>
<p>&nbsp;</p>
<h2>Conclusion</h2>
<p>Transparent Tribe is an APT group that targets users working within the Indian government. It has previously executed many payloads in Windows and Android. Now APT 36 has started targeting Linux users, too. Sites such as Kavach, Rodra, and KSB were used in social engineering attacks to trick targeted users. Users should be extremely careful and double-check URLs before opening or downloading files.</p>
<p>We could see new features/advancements from this APT group in the future. The Uptycs threat research team continuously monitors related malware campaigns to safeguard our clients and inform the broader security community.</p>
<p>&nbsp;</p>
<h2>Uptycs XDR Detection</h2>
<p>In addition to having YARA built-in and being armed with other advanced detection capabilities, Uptycs XDR users can easily scan for Poseidon. XDR contextual detection provides important details about identified malware. Users can navigate to the toolkit data section in the detection alert, then click a detected item to reveal its profile (Fig. 9).</p>
<p>&nbsp;</p>
<p><img src="https://lh4.googleusercontent.com/IFIH84N553mR_liC0Ars13IBbU6sLTkoMMIVe_IKe9qUYOPTfSpVwb_Fui7dSzQypGnfRd0DACDlXi84hXl82wvBR_MvvSE89B5RPsCg0h20jg-TCMbv_eRIDXPXS8QB9FohAeNed1NpqEBJloYAVdw" width="838" height="456" loading="lazy" alt="Uptycs dashboard showing toolkit data section in the detection alert" style="width: 838px; height: auto; max-width: 100%;"></p>
<p style="font-size: 14px; text-align: center;"><em>Fig. 9 – Uptycs EDR detection</em></p>
<p>&nbsp;</p>
<a id="IOC" data-hs-anchor="true"></a>
<h2>IOC</h2>
<p>&nbsp;</p>
<h3><strong>Hashes</strong></h3>
<p>&nbsp;</p>
<table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;">
<tbody>
<tr>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;"><strong>File Name</strong></p>
</td>
<td style="border: 1pt solid #000000;">
<p style="text-align: center;"><strong>MD5</strong></p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>Kavach</p>
</td>
<td style="border: 1pt solid #000000;">
<p>c82bf2c50900b89b66e9f62d68c415ab</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>confirmationId_ksb</p>
</td>
<td style="border: 1pt solid #000000;">
<p>382285738bae358060011ad847e845d2</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>confirmationId_rodra</p>
</td>
<td style="border: 1pt solid #000000;">
<p>02796a813b79928c95b2475798a14688</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>Bosshelp</p>
</td>
<td style="border: 1pt solid #000000;">
<p>aeb3ad3426794d4e90de4d139e92ee4d</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>Bossstart</p>
</td>
<td style="border: 1pt solid #000000;">
<p>21316422f8c7f0f3ab2b9a282cdacd03</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>Bosstype</p>
</td>
<td style="border: 1pt solid #000000;">
<p>7b163e400e481519d74e06c1116a5200</p>
</td>
</tr>
<tr>
<td style="border: 1pt solid #000000;">
<p>Kavachelf</p>
</td>
<td style="border: 1pt solid #000000;">
<p>9b64528352dd683e55eb308919a596fa</p>
</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<h3><strong>URLS &amp; IP</strong></h3>
<p><strong><br></strong><span style="font-family: 'Courier New', Courier, monospace;">sharing1[.]filesharetalk.com/bosshelp</span></p>
<p><span style="font-family: 'Courier New', Courier, monospace;">ksboard[.]in</span></p>
<p><span style="font-family: 'Courier New', Courier, monospace;">rodra[.]in</span></p>
<p><span style="font-family: 'Courier New', Courier, monospace;">tt1[.]apktrial[.]com</span></p>
<p><span style="font-family: 'Courier New', Courier, monospace;">70[.]34[.]214[.]252</span></p></span></div>
      <div class="topics">
        <span class="label">Tag(s):</span> 
         
        <a class="link" href="https://www.uptycs.com/blog/tag/malware">Malware</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/threat-research">Threat Research</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/xdr">XDR</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/apt-36">APT-36</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/transparent-tribe">Transparent Tribe</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/pakistan">Pakistan</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/india">India</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/mythic-poseidon">Mythic Poseidon</a> 
        ,  
         
        <a class="link" href="https://www.uptycs.com/blog/tag/linux">linux</a> 
         
        
      </div>
    </div>
    
    <!-- End Blog Post Body -->
  
    <!-- Blog Post Author -->
    <div class="author">
        <div class="meta">
          <div class="avatar lazy" data-bg="https://2617658.fs1.hubspotusercontent-na1.net/hub/2617658/hubfs/Tejaswini%20Head%20Shot.jfif?length=100&amp;name=Tejaswini%20Head%20Shot.jfif"></div>
        </div>
        <div class="bio">
          <h2 class="name"><a href="https://www.uptycs.com/blog/author/tejaswini-sandapolla">Tejaswini Sandapolla</a></h2>    
          <p></p>
          <div class="social">
            <span class="label">Connect with the author</span>
            <a class="linkedin" href="https://www.linkedin.com/in/tejaswini-s-51577690/" target="_blank" aria-label="LinkedIn"><span class="fab fa-linkedin-in" aria-hidden="true"></span></a>
            
            
            <a class="website" href="https://www.uptycs.com?rel=author" target="_blank" aria-label="Website"><span class="fas fa-globe" aria-hidden="true"></span></a>
          </div>
  
      </div>
    </div>
    <!-- End Blog Post Author -->  
  
    
  
  </section>

  <div id="hs_cos_wrapper_u4m-blog-post-primary-tag" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"></div>
  <div id="hs_cos_wrapper_u4m-blog-post-cards" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  
  
   
  
<section class="u4m-blog-post-cards u4m-blog-post-cards 
 non-sticky 
" style=" ">




<a class="anchor" id="u4m-blog-post-cards"></a>
  
    
      <h2 class="heading">Other posts you might be interested in</h2>
    
  
    <div class="wrapper">
  
      
      
        
        <span id="hs_cos_wrapper_u4m-blog-post-cards_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_related_blog_posts" style="" data-hs-cos-general-type="widget" data-hs-cos-type="related_blog_posts">
  
        <!--
  templateType: "page"
  isAvailableForNewContent: false
-->


<a class="blog-post-card" href="https://www.uptycs.com/blog/qbot-reappears-now-leveraging-dll-side-loading-technique-to-bypass-detection-mechanisms">
  <div class="featured-image lazy" data-bg="https://2617658.fs1.hubspotusercontent-na1.net/hub/2617658/hubfs/tr728.png?length=360&amp;name=tr728.png">
  </div>
  <div class="content">
    <div class="topics">
    
      
        
        
          
          
      
        
        
          
          
      
        
        
          
          
            
              
                <span class="topic">Threat Hunting</span>
              
            
              
            
              
            
          
      
    
  </div>
  <div class="read-time">
    
    
    
      <i class="far fa-clock" aria-hidden="true"></i> 11 min read
        <span class="date"> | July 28, 2022</span>
    
  </div>
  <h2 class="title">Qbot Reappears, Now Leveraging DLL Side Loading Technique to Bypass Detection Mechanisms</h2>
  
  <span class="read-more">Read More</span>
  </div>

</a>
        

  
        <!--
  templateType: "page"
  isAvailableForNewContent: false
-->


<a class="blog-post-card" href="https://www.uptycs.com/blog/lolbins-are-no-laughing-matter">
  <div class="featured-image lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/Figure1.png?length=360&amp;name=Figure1.png">
  </div>
  <div class="content">
    <div class="topics">
    
      
        
        
          
          
      
        
        
          
          
            
              
                <span class="topic">Cloud Security</span>
              
            
              
            
          
      
    
  </div>
  <div class="read-time">
    
    
    
      <i class="far fa-clock" aria-hidden="true"></i> 22 min read
        <span class="date"> | September 1, 2021</span>
    
  </div>
  <h2 class="title">LOLBins Are No Laughing Matter: How Attackers Operate Quietly</h2>
  
  <span class="read-more">Read More</span>
  </div>

</a>
        

  
        <!--
  templateType: "page"
  isAvailableForNewContent: false
-->


<a class="blog-post-card" href="https://www.uptycs.com/blog/evasive-techniques-used-by-malicious-linux-shell-scripts">
  <div class="featured-image lazy" data-bg="https://f.hubspotusercontent00.net/hub/2617658/hubfs/shutterstock_634316555.jpg?length=360&amp;name=shutterstock_634316555.jpg">
  </div>
  <div class="content">
    <div class="topics">
    
      
        
        
          
          
      
        
        
          
          
            
              
                <span class="topic">Threat Hunting</span>
              
            
              
            
          
      
    
  </div>
  <div class="read-time">
    
    
    
      <i class="far fa-clock" aria-hidden="true"></i> 10 min read
        <span class="date"> | July 1, 2021</span>
    
  </div>
  <h2 class="title">Evasive Techniques Used By Malicious Linux Shell Scripts</h2>
  
  <span class="read-more">Read More</span>
  </div>

</a>
        

</span>
      
  
      
      
  
      
           
    </div>  
  </section></div>
  <div id="hs_cos_wrapper_u4m-subscribe" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  
  
   
  
<section class="u4m-subscribe u4m-subscribe 
 non-sticky 
" style=" ">




<a class="anchor" id="u4m-subscribe"></a>
  
  <div class="inner">
    <div class="left">
      <h2>Subscribe to email updates</h2>
    </div>
    <div class="right">
      <span id="hs_cos_wrapper_u4m-subscribe_blog_subscribe" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_subscribe">
<div id="hs_form_target_u4m-subscribe_blog_subscribe_483"></div>



</span>
    </div>  
  </div>
</section></div>
</main>


    
        <div id="hs_cos_wrapper_u4m-footer" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><footer class="u4m-footer">
  <div class="menu">
    <span id="hs_cos_wrapper_u4m-footer_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_menu" style="" data-hs-cos-general-type="widget" data-hs-cos-type="menu"><div id="hs_menu_wrapper_u4m-footer_" class="hs-menu-wrapper active-branch no-flyouts hs-menu-flow-horizontal" role="navigation" data-sitemap-name="default" data-menu-id="51889433970" aria-label="Navigation Menu">
 <ul role="menu" class="active-branch">
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Products</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Attack Surfaces:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/endpoint-security-service" role="menuitem">Endpoints &amp; Server Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/container-security-solutions" role="menuitem">Containers &amp; Kubernetes</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/cloud-security-services" role="menuitem">Cloud Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Open Source:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/open-source-cloud-security-solutions" role="menuitem">Cloudquery</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/kubernetes-security-tools" role="menuitem">Kubequery</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/product/open-source-security-tools" role="menuitem">Osquery</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Solutions</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Category:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/security-and-monitoring-for-cloud-workloads" role="menuitem">Cloud Workload Protection Platform</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/cloud-security-posture-management" role="menuitem">Cloud Security Posture Management</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/endpoint-detection-and-response" role="menuitem">eXtended Detection &amp; Response</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/it-asset-inventory" role="menuitem">Insight &amp; Inventory</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/it-security-compliance" role="menuitem">Audit, Compliance &amp; Governance</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">_</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="header">Audit &amp; Compliance Frameworks:</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/fedramp-compliance" role="menuitem">FedRAMP</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/soc-type-2-compliance" role="menuitem">SOC-2</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/cis-compliance" role="menuitem">CIS</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/solutions/pci-compliance" role="menuitem">PCI</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children active-branch" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Resources</a>
   <ul role="menu" class="hs-menu-children-wrapper active-branch">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/why-choose-uptycs" role="menuitem">Why Choose Uptycs?</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/demo-tour-pillar-page" role="menuitem">Self-Guided Tours</a></li>
    <li class="hs-menu-item hs-menu-depth-2 active active-branch" role="none"><a href="https://www.uptycs.com/blog" role="menuitem">Blog</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/resources" role="menuitem">Uptycs Resource Center</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/tools-and-integrations" role="menuitem">Tools &amp; Integrations</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/uptycs-partner-program" role="menuitem">Partner Program</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/free-osquery-training-intro-to-osquery" role="menuitem">Osquery Tutorial</a></li>
   </ul></li>
  <li class="hs-menu-item hs-menu-depth-1 hs-item-has-children" role="none"><a href="javascript:;" aria-haspopup="true" aria-expanded="false" role="menuitem">Company</a>
   <ul role="menu" class="hs-menu-children-wrapper">
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/about-us" role="menuitem">About Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/leadership" role="menuitem">Leadership</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/careers" role="menuitem">Careers</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/press-coverage" role="menuitem">Press &amp; News</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/contact-us" role="menuitem">Contact Us</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/security" role="menuitem">Security</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="https://www.uptycs.com/subject-access-request" role="menuitem">Subject Access Request</a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="address">404 Wyman Street </span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="address">Suite 357</span></a></li>
    <li class="hs-menu-item hs-menu-depth-2" role="none"><a href="javascript:;" role="menuitem"><span class="address">Waltham, MA 02451</span></a></li>
   </ul></li>
 </ul>
</div></span>
  </div>
  <div class="utility">
    <div class="image"><img loading="lazy" src="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=360&amp;name=uptycs_logo_2C_on-light_rgb.png" width="360" alt="uptycs_logo_2C_on-light_rgb" srcset="https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=180&amp;name=uptycs_logo_2C_on-light_rgb.png 180w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=360&amp;name=uptycs_logo_2C_on-light_rgb.png 360w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=540&amp;name=uptycs_logo_2C_on-light_rgb.png 540w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=720&amp;name=uptycs_logo_2C_on-light_rgb.png 720w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=900&amp;name=uptycs_logo_2C_on-light_rgb.png 900w, https://www.uptycs.com/hs-fs/hubfs/Uptycs%20Logos%202022/uptycs_logo_2C_on-light_rgb.png?width=1080&amp;name=uptycs_logo_2C_on-light_rgb.png 1080w" sizes="(max-width: 360px) 100vw, 360px"></div>
    <div class="social">
       
      <a href="https://www.linkedin.com/company/uptycs/" target="_blank" aria-label="LinkedIn"><img src="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=72&amp;name=li-logo.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=36&amp;name=li-logo.png 36w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=72&amp;name=li-logo.png 72w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=108&amp;name=li-logo.png 108w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=144&amp;name=li-logo.png 144w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=180&amp;name=li-logo.png 180w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/li-logo.png?width=216&amp;name=li-logo.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
      <a href="https://twitter.com/uptycs?lang=en" target="_blank" aria-label="Twitter"><img src="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=72&amp;name=t-logo.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=36&amp;name=t-logo.png 36w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=72&amp;name=t-logo.png 72w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=108&amp;name=t-logo.png 108w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=144&amp;name=t-logo.png 144w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=180&amp;name=t-logo.png 180w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/t-logo.png?width=216&amp;name=t-logo.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
      <a href="https://www.facebook.com/uptycs/" target="_blank" aria-label="Facebook"><img src="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=72&amp;name=fb-logo.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=36&amp;name=fb-logo.png 36w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=72&amp;name=fb-logo.png 72w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=108&amp;name=fb-logo.png 108w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=144&amp;name=fb-logo.png 144w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=180&amp;name=fb-logo.png 180w, https://www.uptycs.com/hs-fs/hubfs/uptycs-srw/fb-logo.png?width=216&amp;name=fb-logo.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
     <a href="https://www.youtube.com/@uptycs" target="_blank" aria-label="YouTube"><img src="https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=72&amp;name=circle_youtube_icon.png" width="72" loading="lazy" srcset="https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=36&amp;name=circle_youtube_icon.png 36w, https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=72&amp;name=circle_youtube_icon.png 72w, https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=108&amp;name=circle_youtube_icon.png 108w, https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=144&amp;name=circle_youtube_icon.png 144w, https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=180&amp;name=circle_youtube_icon.png 180w, https://www.uptycs.com/hs-fs/hubfs/circle_youtube_icon.png?width=216&amp;name=circle_youtube_icon.png 216w" sizes="(max-width: 72px) 100vw, 72px"></a>
    
      
      
    </div>
  </div>
  <div class="bottom">
    <div class="links"><span class="copyright">© Copyright 2023 </span><span class="utility"> | <a href="https://www.uptycs.com/uptycs-privacy-policy">Privacy Policy</a> </span></div>
  </div>
</footer></div>
    
    
    
<script>
(function () {
    window.addEventListener('load', function () {
        setTimeout(function () {
            var xhr = new XMLHttpRequest();
            xhr.open('POST', '/_hcms/perf', true /*async*/);
            xhr.setRequestHeader("Content-type", "application/json");
            xhr.onreadystatechange = function () {
                // do nothing.
            };
            var connection = navigator.connection || navigator.mozConnection || navigator.webkitConnection;
            function populateNetworkInfo(name, connection, info) {
                if (name in connection) {
                    info[name] = connection[name];
                }
            }
            var networkInfo = {};
            if (connection) {
                ['type', 'effectiveType', 'downlink', 'rtt'].forEach(function(name) {
                    populateNetworkInfo(name, connection, networkInfo);
                });
            }
            var perfData = {
                url: location.href,
                portal: 2617658,
                content: 111418023737,
                group: -1,
                connection: networkInfo,
                timing: performance.timing
            };
            xhr.send(JSON.stringify(perfData));
        }, 3000);  // Execute this 3 seconds after onload.
    });
})();
</script>


<script>
// Stick sharing
document.addEventListener('DOMContentLoaded', function() {

    var Sticky = new hcSticky('#share', {
      stickTo: '.u4m-blog-post',
      top: 100
    });
  
});
</script>

<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/scripts/jquery-3.5.1.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/hubspot.search.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/jquery.nb.offscreenMenuToggle.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/aos3.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified-assets/lazyload.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/unified3/libraries/js.cookie.min.js"></script>
<script src="https://302335.fs1.hubspotusercontent-na1.net/hubfs/302335/hc-sticky.js"></script>
<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51822599800/1664381106891/module_51822599800_u4m-header.min.js"></script>
<script src="/hs/hsstatic/keyboard-accessible-menu-flyouts/static-1.17/bundles/project.js"></script>

      <script>
          function newBreed() {
              console.log('Unified 4 by New Breed' + '\n' + '---' + '\n' + '- Domain = www.uptycs.com' + '\n' + '- Current URL = https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware' + '\n' + '- URL Slug = blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware' + '\n' + '- Portal = 2617658' + '\n' + '---' + '\n' + 'Template' + '\n' + '- Name = blog-post.html' + '\n' + '- Category = normal_blog_post' + '\n' + '- Homepage? = false' + '\n' + '- Landing Page? = ');
          };
          newBreed();
      </script>
  

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->

<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

  <script data-hs-allowed="true">
      hbspt.forms.create({
          portalId: '2617658',
          formId: '1e2854c3-ada5-486e-bd4e-f38fcabca144',
          formInstanceId: '483',
          pageId: '111418023737',
          region: 'na1',
          
          pageName: 'Cyber Espionage in India: Decoding APT-36&#39;s New Linux Malware Campaign',
          
          contentType: 'blog-post',
          
          formsBaseUrl: '/_hcms/forms/',
          
          
          inlineMessage: "<p>Thanks for subscribing!</p>",
          
          css: '',
          target: '#hs_form_target_u4m-subscribe_blog_subscribe_483',
          
          formData: {
            cssClass: 'hs-form stacked'
          }
      });
  </script>

<script src="https://www.uptycs.com/hs-fs/hub/2617658/hub_generated/module_assets/51823447380/1674049580944/module_51823447380_u4m-footer.min.js"></script>

<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/www.uptycs.com\/blog\/cyber_espionage_in_india_decoding_apt_36_new_linux_malware"]);
_hsq.push(["setPageId", "111418023737"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 111418023737,
    "legacyPageId": "111418023737",
    "contentFolderId": null,
    "contentGroupId": 5593128451,
    "abTestId": null,
    "languageVariantId": 111418023737,
    "languageCode": "en",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/2617658.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    ticks: 1682121488624,
    page_id: 111418023737,
    
    content_group_id: 5593128451,
    portal_id: 2617658,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en",
    analytics_page_type: "blog-post",
    analytics_page_id: "111418023737",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.191/js/index.js"></script>

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-P663XDQ" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

      <noscript>
        <img src="https://ws.zoominfo.com/pixel/6127ecc2d037650015c31617" width="1" height="1" style="display: none;">
      </noscript>
    

<!-- End Google Tag Manager (noscript) -->
<script src="https://my.hellobar.com/c42c9a8680c89010c1c5214aa9b2bbbca8b38118.js" type="text/javascript" charset="utf-8" async> </script>





</body></html>